Ghost hackers: the cybersecurity mystery that nobody has solved

In the long past of hacking, determination person been numerous data breaches that, years oregon adjacent decades later, remain unsolved. Countless hackers and hacking groups down them person ne'er been unmasked.  

But prolific hacking groups bash get caught. This is true whether they’re cybercriminals specified arsenic LAPSUS$, a notorious extortion pack that compromised companies including Microsoft and Nvidia, who person had aggregate members arrested, oregon blase authorities hacking groups from Russia and China, whose members person been named, indicted, and placed connected most-wanted lists. 

Still, immoderate of the astir fascinating cases successful cybersecurity past stay wide unfastened — nary culprits, nary answers, and successful immoderate cases, not adjacent a wide motive. We decided to revisit respective of them successful a bid of articles, starting with 1 of the strangest episodes successful the past of quality leaks.

The archetypal installment centers connected the Shadow Brokers — an enigmatic radical that surfaced online, dumped a trove of hacking tools believed to beryllium to the NSA, and past vanished. 

In the summertime of 2016, in the midst of the Russian hacks related to the U.S. Presidential elections, the group appeared connected Twitter. They linked to a Pastebin post and @-mentioned respective quality outlets — a strange, ineffective strategy that meant most of those outlets likely never saw the tweets. 

But if anyone had clicked connected the link, they would person seen a papers titled “Equation Group Cyber Weapons Auction — Invitation” — a notation to the shadowy hacking cognition wide believed to beryllium tally by the NSA. 

“!!! Attention authorities sponsors of cyber warfare and those who nett from it !!!! How much you pay for enemies’ cyber weapons?” the hackers wrote, claiming to person hacked the Equation Group. 

The papers included links to download immoderate hacking tools, arsenic good arsenic a nexus to download an encrypted record that funny buyers could decrypt by making a bid. “Auction files amended than Stuxnet,” they wrote, referring to the celebrated malware utilized against Iranian atomic facilities successful a U.S.-Israeli cyberattack successful 2007. They asked for astatine least one cardinal Bitcoin. 

The leak rapidly attracted property coverage. Once information researchers analyzed the tools, they realized these were exceptionally blase cyberweapons, very likely stolen from the NSA — a suspicion bolstered by the information that immoderate shared names with programs revealed by NSA whistleblower Edward Snowden. 

The auction was likely a ruse, since the radical yet dumped galore of the tools publically months later. Much astir the Shadow Brokers made small sense. Their breached English was astir comical, arsenic if they were either trying excessively hard oregon deliberately signaling the artifice. Despite intelligibly seeking attraction — and getting plentifulness of property sum — the radical lone spoke to a writer once, giving a brief interview to 404 Media’s Joseph Cox, past a newsman astatine VICE Motherboard. 

Ten years later, we know literally nothing about who was down the Shadow Brokers persona. Cox and I interviewed erstwhile NSA staffers at the time, who said an NSA insider oregon erstwhile insider could beryllium involved. But cipher has ever been arrested and charged — extraordinary, fixed this was arguably one of the worst leaks of U.S. quality hacking tools ever. 

One imaginable fishy was Harold T. Martin III, an NSA contractor arrested for stealing classified accusation from the agency. But the mentation has a problem: portion Martin was successful custody, the Shadow Brokers remained progressive online. He has ne'er been formally charged successful transportation with the leaks. The astir wide credited mentation is that the Shadow Brokers were created by a Russian authorities spy radical arsenic a propaganda tool. 

The interaction was massive. Among the tools released, the Shadow Brokers published EternalBlue — a household of zero-day vulnerabilities targeting Windows that allowed hackers to interruption into computers connected a hacked network, rapidly grow their access, and deploy self-propagating worms. (Zero-day vulnerabilities are flaws unknown to the bundle maker, meaning nary spot yet exists.) North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers aboriginal built it into NotPetya, which spiraled beyond its initial Ukrainian targets and caused an estimated $10 billion in damages globally. For businesses, the acquisition was stark: vulnerabilities hoarded by quality agencies don’t stay concealed everlastingly — and erstwhile they leak, the backstage assemblage pays the price. 

The trove is inactive yielding discoveries. Among the leaked tools was one containing a database of task names — including 1 called Fast16, flagged lone with the statement “NOTHING TO SEE HERE — CARRY ON.” Last month, researchers announced they had located and examined it, uncovering malware dating to 2005, designed to tamper with bundle allegedly utilized by Iranian atomic scientists.